SecurityPitfalls.org is a community project that collects situations where security fails. It's primarily for educational purpose, as source for discussions and presentations and for fun. If you have related material you want to share with others, just send in your photos, stories or movies to incoming {at} securitypitfalls.org.

Sunday, February 28, 2010

You might say, "Of course, security has to be applied 24/7", but the obvious is not the standard. An example was given by Sebastian Klipper on his blog "Klipper on Security: Ps(i)2 - Sicherheit in Informationssystemen". Thanks for sharing the content of his post by CC license.

During the night, journalist Tommaso Cerno did a short trip to the airport of Rome and shared his experience on the web. The problem? There was no security at all. The screening lines and the security areas are freely accessible, doors secured by access codes or code cards are open, homeless people are taking a nap in the interior. Tommaso filmed the his tour through the airport and published it online:

http://espresso.repubblica.it/multimedia/home/22897704.

It would be an easy task to smuggle weapons or drugs into the airport during night. The only risk would be that one of the homeless people could find it before the next day and take it away, so Sebastian Klipper.

Wednesday, February 10, 2010

Sebastian Klipper, Senior Information Security Consultant, recently wrote on his blog Klipper on Security about an incident he experienced in a hotel. It is quite usual to have safes in hotel rooms to store important documents. It might also be obvious that lots of these safes have master key combinations to open them in case of emergency. But, he was quite surprised as he noticed how easy it was to get the master key and that it was only 3 digits long.

One day when he wanted to open the safe with his 4 digits code, it just responded with the message "BATTERY ERROR!". Hence, he made is way down to the reception, asking for help. The friendly receptionist went upstairs with him to have a look at the safe. After demonstrating the problem, the receptionist positioned right in front of the safe started entering a code and said:

"Enter, 0, 0, 2, Enter, Enter."

Open! That's it and after the receptionist left, Sebastian Klipper knew the master code. Sometimes the easiest way to circumvent the security system is, ask friendly for help.

Thanks very much to Sebastian Klipper who gave us the rights to publish his story with his pictures on SecurityPitfalls.

Thursday, February 4, 2010

Berni sent us the following story from Steyr in Upper Austria. On a visit at the University of Applied Sciences she found an accessible, locked room on one of the floors. The only drawback, somebody left the keys there.

Now, the question is, how much value does access to this room have?

First of all, you can steal paper, but that shouldn't leave too much damage to the company. Secondly, an intruder could wait for some important documents printed out. As this room is locked during the day, it could be an interesting place for getting information. Another source of information is the key itself. Even if an attacker can't get much value out of the information in the room, she could try to copy the key or just take notes about the cuts of the key. This can enable the attacker to duplicate it or use in combination with some other keys to rebuild the master key of the university's locks.

So the key lesson of this story: never leave your keys unattended - and never leave it on the doors. :) Thanks to Berni for sending in this story and the pictures.

Update (7/2/2010): Churchy added another security issue that wasn't mentioned in the blog posting above. An attacker could use the printer's network cable to get access to the network. This could be interesting especially in situations where you just have access to a secured WLAN that is separated from the internal LAN.